[WEB SECURITY] Need a vulnerable XML Web Service

Andre Gironda andreg at gmail.com
Mon Jun 7 14:24:28 EDT 2010

On Fri, Jun 4, 2010 at 5:18 PM, Arian J. Evans
<arian.evans at anachronic.com> wrote:
> I recommend people perform the following on web services:
> + Threat modeling, especially on B2B or WS to WS, to make sure you understand your attack surface
> + Human source-code review, to review your controls implementation particularly AuthC/Z
> + Run-time analysis to see how the running engine handles input thrown into it
> + A customized source-code scanner might be useful here for repeated testing over time

Yes, but you don't explain these correctly. More depth please!

Threat-modeling can be done in various ways. I prefer the approach
taken by the book Security Patterns to use OOA&D style domain and
sequence diagrams in UML 2.0. Rohit Sethi took this a bit further with
his more-awesome approach here --

Microsoft just likes the whole DFD concept, although HP has been
taking about EFDs lately, too. Of course, DFDs look best in the latest
version of Microsoft Office Visio...

Secure code review is retarded. It takes too much time and effort to
read through the code. Unless, of course -- you know exactly what you
are looking for and where to look for it. In order to do this you need
to do 1 of 3 top level things:
1) Map URLs to source code or source code to URLs, often by using web
xml configs, view folders, traversals, etc
2) Use ESAPI or other way of centralizing the security control
architecture in the overall code architecture
3) Cheat #1 by using something like Fortify PTA or a code coverage /
code understanding tool

Run-time analysis for web services is great if using something like
Fortify PTA... as long as it understands your framework(s) and choice
of architecture pieces and components, particularly 3rd-party
components that Fortify does not work with in the
source/sink/pass-thru database, or easily via their custom rules.

Without Fortify PTA, many run-time analysis tools can be integrated,
particular passive analysis tools such as Burp Suite Pro's passive
scanner, Casaba's Watcher, and Google Ratproxy.

Many organizations that roll their own Web services also test it for
usability and functionality with a test harness. If you can get access
to the test harness, you can run it through all of these passive
analysis tools, and/or use Fortify PTA/RTA. Sometimes the test harness
is written in supernova.dev.java.net or other Eclipse / Java
Enterprise IDE clone (or Eclipse integration test plugins of some
kind), or perhaps Canoo WebTest, Selenium RC, Watij/WatiN/Watij, Sahi,
or WindMill. It could be a commercial tool such as HP QTP as well, and
there are a few others of these from small vendors and large vendors
(e.g. Parasoft) alike.

Either way, there is usually a test harness. The Java Power Tools
O'Reilly book mentions SoapUI for REST testing, as Arshan recommended.
It's a great tool, as seen from Marcin's old post on TS-SCI Security
-- http://www.tssci-security.com/archives/2008/12/14/writing-a-web-services-fuzzer-in-5-minutes-to-sql-injection/

Leverage the current test harness. This is a legitimate answer to all
web app scanner usage -- why re-invent the wheel?

I have been planning a presentation/talk on the above ideas -- as well
as some other ideas I've had to leverage existing developer/test
resources. Except it to happen in the next 2-3 months, probably after
I've had a chance to talk to all of the better pen-testers and code
reviewers at BlackHat US, Defcon, BSidesLV, etc next month. Please
find me if you have some additional ideas or thoughts you'd like to
share. Even if your name is Arian Evans.


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn

More information about the websecurity mailing list